A UK view on Cyber, Information & IT Security by Security Expert Dave Whitelegg. Providing advice and explaining security for everyone, and also contemplating advanced themes and future trends in security.
With a focus on all the latest developments & issues within the UK Information Security space such as Hacking, DDoS, Botnets, Malware, Identity Theft, Data Protection (DPA) and regulatory compliance like PCI DSS & ISO27001:2013, all will be explained in an easy to understand way.

Saturday, 15 June 2013

Man City Hack: When Information is worth more than money

The Manchester City scouting database hack is close to my heart on two counts, it highlights the corporate espionage side of information security, and involves my other passion away from security, the beautiful game, football.

Funny but it's no laughing matter for MCFC

City Scouting Database Compromise is CloudedWhat is clear is Manchester City officials believe their confidential scouting database, has been taken a rival club employee, but how this data was compromised is cloudy. The City scouting data was stored in a cloud based (online) application called ProScout7. Scout7, a Midlands based company, were quick to deny their system had been hacked, and suggested the fault lied with City's scouts password management. In other words that either a City scout had not protected their username and password, or perhaps the PC the scout was using to access Scout7, had been compromised with a keylogger or trojan software, passing on the Scout7 account credentials to a rival scout. The released details on the cause are sketchy, and it is quite possible the ProScout7 system was hacked, but we can only speculate about the cause at this point. But one thing is for certain, the scouting information is very important to Manchester City football club, and it is of value to their footballing competitors.

When Information is worth more than moneyCity's scouting knowledge has a direct cash value, in that rival teams may be alerted and bid for the same players City are interested in, pushing up the transfer price. This easily could result in a transfer increase in the millions. But there is another value, which is more than the transfer fee, it is that City want to beat rivals like Manchester United, Chelsea, and other European big spenders, in signing the best available players. Signing of players ahead of rivals, can make all the difference, and can decide the winners of titles. If Robin Van Persie was signed by City instead of United last season, I am sure most footballing pundits would agree City would of won the title.Case in point, as soon as City found out their database was compromised by a rival club, they immediately took action, and signed two of their secret targets, Jesus Navas (£24m) and Fernandinho (£30m), before their rivals could muscle in.

£24Million Navas

£30 Million Ferdandinho

In all, this is an interesting incident, as it highlights the real high steaks value of information, and the reality of corporate espionage in the UK. The incident also poses the usual set of security questions, starting with, when information is known to be a high value business asset, is the business really doing enough to protect that asset? For example

Does the Scouting application sufficiently protect the scouting database? Especially with access control, ensuring scouts only have access to information on a need to know basis.

Are the computers used by the scouts appropriately secured? i.e. Anti-Virus, Patch Management, and other end point security technologies

Is the third party scouting company adequately vetted and managed by City?

Even if the ProScout7 online application was found to be at fault, Manchester City are still responsible for ensuring Scout7, a third party company City entrust with their holy of holies data, are able to protect their scouting information in line with their valuation of it.

Support Bloggers Rights

About Me

ShareThis

Disclaimer

This is a personal website, all views or opinions represented in this blog are personal to Dave Whitelegg and guest bloggers that post, and do not represent the views or opinions of any business or organisation. All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information.

All original content copyright David Whitelegg 2007-2016. You may not use any original content with. Awesome Inc. theme. Powered by Blogger.